Jerusalem
Jerusalem is an early DOS file infector virus discovered in Israel in late 1987https://www.f-secure.com/v-descs/jerusale.shtml. Its origin is uncertain, as it was believed to have originated in Israel, but evidence from 1991 indicates that it may be from Italy.https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=631#none As of the year 1993, Jerusalem was still spreading in the wild and many variants have been created. The last reported Jerusalem incident was in 1995, nearly 8 years after it was first discovered. The virus has gone by many names, some that refer to its possible origin and its Friday the 13th payload date. Behavior Jerusalem infects any executables under DOS. Upon execution, the virus becomes resident, staying in the memory even after the host program has been terminated. The virus then infects all programs that run after the first infected file is run, but it avoids COMMAND.COM. The original Jerusalem and some early variants have a bug that causes them to infect files more than once, sometimes causing the files to consume all available storage space. Payload Jerusalem delivers two payloads, one that is annoying but relatively harmless and the other destructive. The non-destructive one, which activates 30 minutes after the executed causes row 5 column 5 to row 16 column 16 on the screen are scrolled up two lines, creating a "black window", then the system slows down due to a time-wasting loop installed on each timer interrupt. The destructive payload activates on any Friday the 13th, deleting any program run on that day and display the message: Bad Command or file name It is noticeable that the "C" is not in uppercase in the original message generated by the system. Removal Use F-Prot, NAV, or delete the infected files. Variants Over the years that Jerusalem spread, many virus coders created variants of the virus, making Jerusalem one of the largest families of viruses ever created. It even includes many sub-variants and a few sub-sub-variants. Most variants are unimaginative, simply changing the payload date, text displayed or even nothing at all. Some variants contain fixes for the bugs of the original. Tuesday(Ah) See the main page: Ah Suriv Suriv is older than the virus considered the original Jerusalem, but is still considered a part of the Jerusalem family because it is very similar, but never had Jerusalem's level of prominence. Suriv has three variants. Suriv.1 and 2 trigger their payloads on April 1 (a holiday for pranks in some western countries), while Suriv.3 activates on the 13th if the day is Friday. Some payloads of Suriv do not activate until after 1988. This virus has several variants from Argentina, but the originals come from Israel's Hebrew University. Suriv.1 This variant infects only COM files, and it sometimes called as April_1.comhttps://www.f-secure.com/v-descs/apr1-com.shtml because of its payload activation date. On activation it displays the following: APRIL 1ST HA HA HA YOU HAVE A VIRUS Suriv.2 This variant is likely the first EXE infecting virus. It sometimes called as April_1.exehttps://www.f-secure.com/v-descs/apr1-exe.shtml because of its payload activation date. On activation it displays the following APRIL 1ST HA HA HA YOU HAVE A VIRUS Suriv.3 This variant is able to infect both COM and EXE formats. It may also be the first virus to infect both formats. Jerusalem-113 This variant avoids PHENOME.COM instead of COMMAND.COM, so that COMMAND.COM could be infected if it is run while the virus is in memory. As the payload, programs cannot be run on Saturdays. Anarkia The Anarkia variant uses the word "Anarkia" as its self-recognition code. Otherwise, it is completely identical to the original Jerusalem. Apocalypse Jerusalem.Apocalypse contains the text "Apocalypse!!". On Friday the 13th, if the virus is memory-resident, it will delete any file run. Captain Trip Jerusalem-Captain Trip contains the strings "Captain Trips" and "SPITFIRE". If the year is any year other than 1990 and the day is a Friday on or after the 15th, if a program is run, Jerusalem-Captain Trip creates an empty file with the same name as the program. On several other dates it installs a routine in the timer tick that activates when 15 minutes pass. On the 16th Jerusalem-Captain Trip re-programs the video controller. Jerusalem-Captain Trip has several errors. Carfield The infection size of COM is fixed while that of EXE is variable. The infection size of COM is 1,508 bytes, and that of EXE is between 1,508 and 1,522 bytes. The virus consumes 1,744 bytes in memory. If the day is Monday, if the virus is memory-resident, the computer will display the string "Carfield!" every 42 seconds. Czech On Friday the 13th, if the virus is memory-resident, it will delete any program run. Jerusalem.Czech has a self-recognition code and a code placement that differ from the original Jerusalem.https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/jerusalem.czech Frère This variant and some sub-variants are reported to play tunes on a certain date. Frère.A plays Frère Jacques every 3 minutes and 45 seconds if the day is Friday or the 13th of any month. Jerusalem. Frère.B plays Frère Jacques every ten seconds. Friday-15th (Skism) Friday-15th causes infected files to grow by 1,813 bytes. On Friday the 15th, if the virus is memory-resident and a program is run, the virus will create a new file with the same name as the program. FuManchu The FuManchu variant is 2,086 bytes long and possibly comes from Britain. The creator of FuManchu eliminated some of the more destructive aspects contained in the original Jerusalem and other variants. The virus censors text containing four letter words and adds comments when the words "Reagan", "Thatcher", "Botha" and "Waldheim" are typed. When the user types "Control+Alt+Delete", the virus displays the message "The world will hear from me again!". It also contains some bug fixes of the original Jerusalem.https://www.f-secure.com/v-descs/fumanchu.shtml Jan25 On January 25th, if the virus is memory-resident, it will delete any program run. Jerusalem.J The variant causes .COM files to grow by 1,237 bytes. .exe files grow by about 1,232 bytes. Jeruspain (Jeru-Spanish) If the virus is memory-resident, Jeruspain will delete any program if the program is run on the 26th of any month. Mendoza The virus does nothing if the year is 1980 or 1989. For all other years, if the virus is memory resident and if the floppy disk motor count is 25, a flag is set. The flag will be set if a program is run from a floppy disk. If the flag is set, every program which runs is deleted.If the flag is not set and 30 minutes passes, the cursor is changed to a block. After one hour, Caps Lock, Nums Lock, and Scroll Lock are switched to "Off". Nemesis The virus avoids NEMESIS.COM instead of COMMAND.COM, and therefore infects COMMAND.COM. Jerusalem-Nemesis contains the string "NEMESIS.COM". PQSR The PQSR variant causes infected files to grow by 1,720 bytes. In addition, any programs run on the thirteenth of any month regardless of the day of the week will be deleted. It uses "PQSR" as its self-recognition code. Rosebud It activates when the day and month numbers add up to 30 (i.e. January 29 and December 18), if the virus is memory-resident, it will delete any program run. It does not avoid COMMAND.COM, and can also infect COMMAND.COM. Sunday See also: Sunday Files infected by the Sunday variant grow by 1,636 bytes. Every Sunday the virus displays one of three messages every 30 minutes. Today is SunDay! Why do you work so hard? All work and no play make you a dull boy! Come on ! Let's go out and have some fun! This variant also attempts to delete every program run, regardless of the day, but this variant contains bugs that prevent it from doing so. The Sunday variant also has some sub-variants and even sub-sub-variants. These text strings can also be found in virus Devil. Sunday.b A version of Sunday which has a working program-deleting function. Sunday.1.b Similar to Sunday.b, except a bug regarding the Critical Error Handler, which causes problems on write-protected disks, has been fixed. Sunday.1.d Similar to Sunday.1.a, except the same bug is fixed in a different way. Sunday.1.Tenseconds Similar to Sunday.a, except the delay for the messages is now 10 seconds. In addition, the test for Sunday is correctly set for say 0 instead of 7. Sunday.2 Similar to Sunday.1.a, except files grow by 1,733 bytes. Jerusalem.T13 The virus causes .COM and .EXE files to grow by 1,812 bytes. On Tuesday the 13th, if the virus is memory-resident, it will delete any program run. Westwood The Westwood variant appeared in the Westwood district in Los Angeles, California. It is similar in most ways to the original Jerusalem. Westwood infects .ovl files in addition to .com and .exe files. It increases .exe and .ovl files by between 1,819 and 1,829 bytes and .com files by 1,829 bytes. Westwood was also coded with a fix for the bug that causes the original Jerusalem to continuously infect .exe files. This variant was not prevalent enough to be reported as wild by the WildList organization, and it is uncertain if it ever left the American state of California. Yellow Jerusalem-Yellow does not infect .exe files. All files infected grow by 1,363 bytes. After the virus is loaded into memory, when 45 minutes pass or when 4,096 keystrokes are entered, Jerusalem-Yellow creates a large yellow box with a shadow in the middle of the screen and the computer hangs. Other variants *Jerusalem.1244 *Jerusalem.1361 *Jerusalem.1500 *Jerusalem.1600 *Jerusalem.1767 *Jerusalem.1808.Blank *Jerusalem.1808.Critical *Jerusalem.1808.CT *Jerusalem.1808.F *Jerusalem.1808.Nul *Jerusalem.1808.Sat_14 *Jerusalem.1808.Standard *Jerusalem.1808.Std.A *Jerusalem.A-204 *Jerusalem.Anni *Jerusalem.Anticad.4096 *Jerusalem.Anticad.4096.A *Jerusalem.Anticad.4096.B *Jerusalem.AntiScan *Jerusalem.Atb *Jerusalem.BSA *Jerusalem.Bupt *Jerusalem.Curse *Jerusalem.CVEX *Jerusalem.Danube *Jerusalem.Dengue (There is also a Dengue virus by 29A member Griyo.) *Jerusalem.Doomsday *Jerusalem.Enigma *Jerusalem.EOS *Jerusalem.EVg *Jerusalem.Exciter *Jerusalem.Hack *Jerusalem.HaHa *Jerusalem.HK.2886 *Jerusalem.June_13 *Jerusalem.KbWin *Jerusalem.Kylie *Jerusalem.Math *Jerusalem.Messina *Jerusalem.Moctezuma *Jerusalem.Moroccan *Jerusalem.MsDns *Jerusalem.Mule *Jerusalem.Mummy.1364.A *Jerusalem.Mummy.2_1 *Jerusalem.Mummy.2_1.A *Jerusalem.Naita *Jerusalem.Phenome *Jerusalem.Pipi.1536 *Jerusalem.Pipi.1548 *Jerusalem.Pipi.Aurora *Jerusalem.Plastique *Jerusalem.Prog *Jerusalem.Puerto *Jerusalem.Rambo *Jerusalem.Satan *Jerusalem.Smile *Jerusalem.SP_VI *Jerusalem.Timor *Jerusalem.Tontom *Jerusalem.Totoro (or Dragon?) *Jerusalem.VerD *Jerusalem.Viajero *Jerusalem.Vicky *Jerusalem.Zerotime.Austr Reported Variants These variants has been reported to exist, but their existence cannot be confirmed. Some may be complete fiction, while others may simply be aliases of variants already listed here and a few may be variants that there is simply no information on. Most of the "reports" of the existence of these viruses come from an extensive, if poorly sourced, article on Jerusalem from Wikipedia. In order for these variants to be removed from this sub-heading and placed directly under "Variants", they will need a non-wiki source, preferably from a virus research group, university or antivirus product vendor. Sat13 On Saturday the 13th, if the virus is memory-resident, it will delete any program run. Jerusalem.T1 On Tuesday the 1st, if the virus is memory-resident, it will delete any file run. Others *1af *2e7 *3503 *52f *5a4 *65d6 *6d46 *7c01 *a204 *b0f *BSA *Dragon *Feb-7th *ffd *Flag_ee *JVT1 *Mummy.1364.a *Not13 *Nov30 *Standard.SuMsdos *Standard.Var *Standard.AA33CCDDEE *Standard.UMsDos *Standard.null *Standard.Nocommand *sUMFDos *Turkish Names Jerusalem could be considered the poster-child virus for a need for a consistent naming scheme among antivirus distributors. While the name "Jerusalem" eventually stuck and became the one most people use to refer to this virus, it went by many other names, many of them would have been in violation of the Computer Antivirus Research Organization (CARO) naming scheme created in 1991. Some of these names include: Aliases *1808(EXE) *1813(COM) *ArabStar *BlackBox *BlackWindow *Friday13th *HebrewUniversity *Israeli *PLO *Russian Sources Mark Ludwig. Computer Viruses, Artificial Life And Evolution, "Metabolism And Adaptability" pp 43-44. American Eagle Publications, 1993. ISBN 0-929408-07-1 References Category:Virus Category:DOS Category:DOS virus Category:Virus from 1980s